[Snort-users] snort placement

Christopher Cook crcook at ...6518...
Sun Aug 4 13:01:02 EDT 2002


what you can do, and what I have setup, is Snort is invisible to 
everything else.  So take my setup at home right now.

CM ----> Snort ----> Router/FW ----> Snort ----> hub ----> computers.

Both snort boxes are address-less and store the data locally in a mySQL 
database with output to ACID to make it all pretty and nice.  This way 
they capture all the traffic, but there's nothing there to give them 
away as being Snort boxes.  So you would take your Cable Modem, plug it 
into one NIC of the Snort, and then connect the other NIC to Router.   
The same thing is done with the inside one, except you connect the 
router to Snort and Snort to the switch.

As someone else pointed out, hooking into the switch more than likley 
won't capture traffic as the switch doesn't broadcast to all ports.  If 
you can turn your switch into a hub, then this would work.

Chris Cook
Security and Support Specialist
Office of Information Technology
Oakland University


neptuna wrote:

>>If I read correctly, this is your current setup
>>
>>Cable Modem ----- Router/FW ---- Dlink switch ---- 3 computers.
>>    
>>
>
>Yes, that is correct.
>
>  
>
>>Snort can be placed in many areas:  Probably the most beneficial would 
>>be in front and behind the router/FW, this way you know what you're 
>>being attacked with and what's getting through the FW.
>>    
>>
>
>Actutally I did try to install snort a few months ago and I placed it on
>one of the boxes on the inside (a RH 7.2) box. However it did not
>capture any traffic. 
>
>
>  
>
>>CM ---- Snort --- Router/FW --- Snort ---- Switch ---- computers.
>>    
>>
>
>Let me understand:
>CM -> Snort box plugged into the Ethernet jack of modem -> [ this is
>where i am confused ] Snort box hooked into the Router [ but how ?] ->
>snort box UPlinked to switch -> Switch to internal computers?
> 
>
>  
>
>>You can also hook it up to an open port on the switch and monitor 
>>traffic that way.  All these options are dependent on separate boxes 
>>doing Snort.
>>    
>>
>
>I tried this before (see above)
>
>Thanks very much Chris !!
>
>
>
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>  
>







More information about the Snort-users mailing list